[Snort-users] Pulledpork doesn't disable some rules

C. L. Martinez carlopmart at ...11827...
Tue Apr 15 02:28:36 EDT 2014


On Mon, Apr 14, 2014 at 5:11 PM, waldo kitty <wkitty42 at ...14940...> wrote:
> On 4/14/2014 3:32 AM, C. L. Martinez wrote:
>> Cleanup....
>> removed 55 temporary snort files or directories from /tmp/tha_rules!
>> Processing /data/config/etc/idpsuricata02/pulledpork/disablesid.conf....
>> Disabled 1:2009005
>> Disabled 1:2011582
>> Modified 2 rules
>> Done
>> Setting Flowbit State....
>> WARN - 1:2011582 is re-enabled by a check of the
>> ET.http.javaclient.vulnerable flowbit!
> [...]
>> Uhmm .. How can I avoid this situation??
>
> disable the rules that rely on that flowbit as well as the rule(s) that set it...
>
> --

Thanks waldo and YM. After seeing the different possibilities, I am
using threshold.conf to disable this alert.




More information about the Snort-users mailing list